{"id": "NEW-RAT-TARGETS-KOREANS-AND-IS-SKILLED-AT-EVADING-DETECTION/124759", "bulletinFamily": "info", "title": "New RAT Targets Koreans And Is Skilled At Evading Detection", "description": "Researchers have identified a stealthy new remote access tool dubbed ROKRAT that leverages a bevy of anti-detection measures. The RAT targets the Korean language Microsoft Word alternative Hangul Word Processor (HWP).\n\nROKRAT was detected several weeks ago by Cisco Talos, who said the malware is part of a phishing campaign by threat actors leveraging malicious email attachments. The goal of attackers is complete control over the victim\u2019s system.\n\n### Related Posts\n\n#### [Fileless Banking Malware Attackers Break In, Cash Out, Disappear](<https://threatpost.com/fileless-banking-malware-attackers-break-in-cash-out-disappear/124711/> \"Permalink to Fileless Banking Malware Attackers Break In, Cash Out, Disappear\" )\n\nApril 3, 2017 , 3:57 pm\n\n#### [Fake SEO Plugin Used In WordPress Malware Attacks](<https://threatpost.com/fake-seo-plugin-used-in-wordpress-malware-attacks/124725/> \"Permalink to Fake SEO Plugin Used In WordPress Malware Attacks\" )\n\nApril 3, 2017 , 12:29 pm\n\n#### [Russian-Speaking Turla Joins APT Elite](<https://threatpost.com/russian-speaking-turla-joins-apt-elite/124695/> \"Permalink to Russian-Speaking Turla Joins APT Elite\" )\n\nApril 3, 2017 , 12:09 pm\n\n\u201cThis actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign,\u201d wrote Cisco Talos researchers Warren Mercer, Paul Rascagneres and Matthew Molyett, who each co-authored a [technical post regarding ROKRAT](<http://blog.talosintelligence.com/2017/04/introducing-rokrat.html>) posted on Monday.\n\n\u201cWe believe this is a targeted attack aimed at South Korean users in the public sector conducted by a sophisticated threat actor with access to native Korean speakers. Attacks on these individuals may be an attempt to gain a foothold into assets which can be deemed extremely valuable,\u201d wrote Cisco Talos researchers in a previous [February post](<http://blog.talosintelligence.com/2017/02/korean-maldoc.html>) on the same malicious file attachments used by threat actors in this most recent attack.\n\nTargets of ROKRAT are sent phishing messages from an email address tied to South Korea\u2019s Yonsei University on the topic of an upcoming and fictitious \u201cKorean Reunification and North Korean Conference\u201d. Recipients are enticed to open the attachments to provide feedback to conference organizers. While the phishing email references a fake Yonsei University conference, the university did hold a unification conference in January, lending credibility to the message.\n\nPhishing email\u2019s contain two HWP documents, each with an embedded Encapsulated PostScript (EPS) object. \u201cThe purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched: ROKRAT,\u201d said researchers.\n\nThe EPS vulnerability [CVE-2013-0808](<https://www.coresecurity.com/advisories/eps-viewer-buffer-overflow-vulnerability>) dates back to a 2013 advisory by the Core Exploit Writers Team that warned of a EPS viewer buffer overflow vulnerability, allowing a remote attacker to execute arbitrary code on targeted machines.\n\n\u201cAs with all HWP documents, the information is zlib compressed so you must decompress the .EPS to get the true shellcode,\u201d researcher said. The shellcode is used to exploit the CVE-2013-0808 vulnerability and download ROKRAT binary from a C2 server in the form of either a .jpg file named \u201cworker.jpg\u201d or \u201ckingstone.jpg\u201d.\n\nHowever, if the malware detects a sandbox environment it will not execute and try to confuse security researchers by appearing to connect and load either an Amazon video of a game called \u201cMen of War\u201d or a Hulu anime video called \u201cGolden Time\u201d. Neither of the URLs linking to the videos are malicious.\n\nWhile the attack focuses on the Korean word processing program HWP, researchers warn the potential of the EPS flaw being exploited in Microsoft Word is a possibility. \u201cYes, it could since it was an EPS vulnerability. Anything that could embed an EPS file could be a potential (attack) vector,\u201d said Craig Williams, senior technical leader, Cisco Talos in an interview with Threatpost.\n\nPost infection, the malware continues its evasive behavior. \u201cThe RAT used during this campaign was innovative, using novel communication channels. ROKRAT uses Twitter and two cloud platforms \u2013 Yandex and Mediafire \u2013 in order to give orders, send files, and get files,\u201d Williams said.\n\nHe said blocking malicious communication between the infected hosts and Twitter, Yandex and Mediafire within organizations is extremely difficult because of the fact they are legitimate services. Additionally, each of the services make use of HTTPS connectivity making it much more difficult to identify specific communication patterns or the usage of specific tokens, Williams said.\n\nWith control of a victim\u2019s system, threat actors control the targeted computer and can install a keylogger or take application screen shots.\n\nCisco Talos said that attackers have found success with ROKRAT stating it has identified infected systems communicating with the attacker\u2019s C2 servers as recently as this week.\n\n\u201cThis investigation shows us once again that South Korean interests sophisticated threat actors. In this specific case, the actor compromised a legitimate email address of a big forum organized by a university in Seoul in order to forge the spear phishing email which increased the chance of success,\u201d researchers said.", "published": "2017-04-04T11:35:00", "modified": "2017-04-04T15:35:50", "cvss": {"score": 0, "vector": "NONE"}, "href": "https://threatpost.com/new-rat-targets-koreans-and-is-skilled-at-evading-detection/124759/", "reporter": "Tom Spring", "references": ["https://threatpost.com/russian-speaking-turla-joins-apt-elite/124695/", "https://www.coresecurity.com/advisories/eps-viewer-buffer-overflow-vulnerability", "http://blog.talosintelligence.com/2017/02/korean-maldoc.html", "https://threatpost.com/fake-seo-plugin-used-in-wordpress-malware-attacks/124725/", "http://blog.talosintelligence.com/2017/04/introducing-rokrat.html", "https://threatpost.com/fileless-banking-malware-attackers-break-in-cash-out-disappear/124711/"], "cvelist": ["CVE-2013-0808"], "type": "threatpost", "lastseen": "2017-04-04T16:27:50", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "bb8e64c3ed04fc042c7ff7c7351b2088"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "2d0dc7dc36f6ea09a4ec5a8e1b6f4a1f"}, {"key": "href", "hash": "1bb977635b6a1686a2168718b75aa572"}, {"key": "modified", "hash": "b41d3e75c4d6d7119c9b52ac794b0d65"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "889b1120ffdd7a9bdca6e89e6070ef26"}, {"key": "references", "hash": "aa398d9008f749b555beed964c21aa54"}, {"key": "reporter", "hash": "4cf098518cf7bc09c1acdd6bf301d86f"}, {"key": "threatPostCategory", "hash": "519cde982c0c855e9b7f4dc0923103a9"}, {"key": "title", "hash": "acf294206fcf572de3b9b951fa8ce5f5"}, {"key": "type", "hash": "78295e0f58b887188b62cad09f8e24d4"}], "hash": "be1d5441d22f8195c9c4fc20e24e6336b0081019aa14432fef1244469882e438", "viewCount": 34, "objectVersion": "1.2", "threatPostCategory": "Hacks", "enchantments": {"vulnersScore": 4.6}}